Industry insights

Making the old new again: The power of experiential learning to build cybersecurity skills

February 7, 2022 by Christine McKenzie

When it comes to learning a new skill, the best way to master it is by rolling up your sleeves and getting elbow deep — and cybersecurity is no exception. Teachers and pedagogy experts refer to this learning as “experiential learning” or “learning by doing.” Studies show that experiential learners are more engaged and more likely to retain new information. They also learn more quickly than traditional learners and can hit the ground running with their new skills.

For these reasons and more, organizations are embracing experiential learning as the best way to teach cybersecurity skills, whether that means a seasoned professional picking up a new certification or a non-technical staff learning the basics of security awareness

Harnessing the power of experiential learning | Infosec Inspire 2021

Web-based learning provides flexibility and scalability 

Web-based cybersecurity training has a few advantages over in-person training. The first is flexibility. No situation put this to the test more than the COVID-19 pandemic. While campuses across the country were shutting down, online providers could ensure their students had uninterrupted access to coursework. At the start of the lockdown, Infosec’s students were already taking boot camps online at a rate of about 75%. Having a robust digital learning presence meant it was easy to seamlessly pivot into a fully remote learning environment. It also meant that students and instructors didn’t have to adapt to new learning tools, which was a struggle faced by many brick-and-mortar institutions quickly. 

The second major advantage is scalability. It can be tough to scale an in-person curriculum — especially if you’re looking to train hundreds of people across multiple locations. Web-based cybersecurity training can be scaled to accommodate as few or as many learners as needed without sacrificing the quality of the content or the level of engagement. 

The learning experience can also be customized to meet the needs of each student. “Our online learning platform is very elastic compared to most. I mean that most learning platforms push you in a certain direction. Still, our platform is designed that you can go backward, forwards and horizontal,” explains Keatron Evans, principal security researcher at Infosec. “We’ve seen first hand that people who need a little more reinforcement on that specific topic can move horizontally really quickly to relate a topic and read up on it and fill that gap in a matter of thirty minutes.” 

Cybersecurity training isn’t limited to technical skill development

When we think about cybersecurity training, the first thing to mind is probably technical training for security professionals. But that’s not its only application. “Adult learning science around experiential learning also works really well for security awareness,” explains Jack Koziol, CEO and founder of Infosec. “We’ve seen that with the launch of the Choose Your Own Adventure® games that we rolled out this year.” 

The games he’s referring to are dozens of interactive scenarios that help employees learn by doing. Using a system of decisions and rewards, the games are designed to develop cyber awareness among employees. They also teach professionals the critical thinking and decision-making skills needed to defeat hackers who rely more and more on behavioral manipulation and social engineering tactics. 

A far cry from the dreaded PowerPoints favored by traditional corporate trainers, the games are interactive “safe spaces” where people can make mistakes and intentionally choose incorrect actions to see what happens. “By combining these engaging storylines and real-world scenarios, it helps people understand what they need to do and then make the right decision when it comes a time from an awareness and culture shift point of view.”

A word of advice for teaching and learning cybersecurity 

“The biggest mistake people make when trying to get into cyber is not doing it,” says Evans. “Don’t sit there and procrastinate about it. Jump into the platform and just start. Start learning, start absorbing the content.” Starting the cybersecurity journey can feel intimidating for many learners, especially those with non-technical backgrounds. However, experiential learning platforms are flexible and can meet the educational needs of any user, from novices to seasoned experts.  

For cybersecurity instructors, he offers this advice: “We need to be adaptable.” Not everyone wants the same learning experience. He recommends meeting people where they’re at and continuing to push the envelope with newer and more creative learning opportunities. 

The future of experiential learning in cybersecurity 

Experiential learning isn’t just another fad. “I think it’s a trend that’s going to accelerate,” says Koziol. “If you think about what we can do with technology now with platforms and with engagement, and you combine that with what can be created in terms of content […] there’s a big tailwind for experiential learning and being able to reach people more effectively than we have been able to in the past.” 

As for Infosec, experiential learning is their north star for developing new training resources. With notable excitement in his voice, Evans shares that “we have an extremely aggressive plan going forward for the amount of new ranges and new labs we’re rolling out. I’m really, really excited about that.” 

Want more content like this? Check out upcoming events at webinars here.



Posted: February 7, 2022
Christine McKenzie
View Profile

Christine McKenzie is a professional writer with a Master of Science in International Relations. She enjoys writing about career and professional development topics in the Information Security discipline. She has also produced academic research about the influence of disruptive Information and Communication Technologies on human rights in China. Previously, she was a university Career Advisor where she worked extensively with students in the Information Technology and Computer Programming fields.